Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 writes "The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. If the botnet operators do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers. Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPv4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites appeared as the IPv4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."

FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly."
Criminals establish "safe houses" in nice neighborhoods. Film at eleven.

FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly."
Criminals establish "safe houses" in nice neighborhoods. Film at eleven.

Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).

Inconvenient though it may sometimes seem, we need to look at the cause-and-effect and address

Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all

Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all software vendors (including FOSS)? Equal justice and all that.

Most people think like you do: childishly. They will pass up an available, doable solution that will work because it might mean a slight bit more effort for users and might not fulfill their visceral desire to feel the gratification of hanging the black-hats by their toes. I know exactly how you think. Anything that doesn't give users streets paved with gold and their every heart's desire while simultaneously torturing the evil hackers to death would be... UNFAIR. That makes it against your religion, a

I think you might have trouble finding 50,000 actual working installations of QNX with internet connections. The simple point being that Windows is by far and large the largest target. No one in their right mind is going to waste time developing a botnet on the small potatoes like QNX, VAX, or Mac.

Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).

Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority

Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority of compromises don't happen because you connected a Windows box to the Internet. They happen because the user browses to some website, and either a drive-by download happens and installs malware (either through a compromised website, or through a compromised ad network), or they run an attachment because the email says to.

I didn't really consider it relevant at the time, but consider the majority of the Windows userbase. They tend to not only be ignorant about technical matters, but they work hard to stay that way and will resent the notion that this should gradually change as they acquire experience. I call them permanent newbies. They're the people who can use computers for seven years and still remain as ignorant now as they were when they first started. They want to learn the basics of how their computers work about

A lot of users just see the computer as utility like a cooker or television. They just expect to be able to press a button to do a particular task and have that task complete.

It's a royal pain-in-the-ass when they want to open a file sent by a friend (dancing pig emoticons for E-mail, let alone a zip file) and the PC then tells them that they need to download or purchase XYZ application to view that file. So off they go to start up a browser, search for that file data type, find the application website, cli

You know, we're not going to defeat the word problem. "Retarded" is a perfectly correct word as is "negro" but neither are allowed. Frankly, I like "negro" better than black (even though they mean exactly the same thing) because I think it sounds cooler -- unfortunately, a bunch of uneducated whiteys couldn't say it right and it became nigger ruining a perfectly good word. And African-American isn't right either... it's just more wrong and inaccurate. And Retarded? well, can't say that any longer eithe

Frankly, I like "negro" better than black (even though they mean exactly the same thing) because I think it sounds cooler -- unfortunately, a bunch of uneducated whiteys couldn't say it right and it became nigger ruining a perfectly good word.

It's funny, because Negro comes from the Portuguese, well, Negro (although it's pronounced differently), which is much more accepted here than the translated version of Black ("preto").

They could just get some crackheads to do it for them. They need the money now and don't care about the future. Even if the police come by, buying IP addresses isn't illegal and the crackhead in question probably has no notion what nefarious purposes an IP address can be used for.

I call BS. Hackers don't rent or buy IP addresses for botnets. The bots run on machines each of which has an IP address already. And when they do need IP addresses, they steal them: find an address assignment not currently routed on the Internet and forge papers they present to the ISP claiming to be the actual registrant.

There are a number of protections in place at ARIN and the other Internet Registries which do a reasonably good job preventing hackers from taking actual "ownership" of blocks of IP addresses.

While there is such a thing as a "legitimate trading and auction sites," there are also a lot of snake oil salesman out there right now claiming legitimacy. Here's a hint: the legitimate ones don't cater to the hacker crowd because they know perfectly well they can't effect a registry transfer without meeting the registry's criteria for "legitimate need."

Having haggled with ARIN, I have to say it is a pain in the ass to get IP addresses from them (though they are really nice people on the phone). Hackers hack computers with existing IPs. That's why they are called hackers. Spammers on the other hand, purchase services from hosting providers who have purchased IPs. And if they abuse their IPs they fire them as customers. I know because that's what we do at our datacenter.

In that situation, they're not renting addresses. They're purchasing colo service, for which some number of addresses is appropriate. Same as they have done for nearly two decades using so-called "bulletproof hosting" companies. It's not by any means an IPv4 run-out phenomenon as the article proclaims and they're no renting bare IP addresses from you regardless.

Was it ARIN-assigned addresses or legacy addresses which predated ARIN? If the former, did you report it as fraud and supply your evidence that led you to believe that the entity in question was not using addresses according to ARIN's standards? (for legacy addresses, ARIN's rules only really apply when there's a transfer)

It should be justifiable homicide to shoot and kill spammers, phishers, malware authors, and those asshats attempting dictionary attacks against a bunch of pop3 accounts looking for a new spam vector. Any nation that does not enact such a law should be labeled a rogue threat to humanity and be nuked until there is nothing left to nuke.

I feel your pain, but come on now. Capital punishment for spamming? It's a tough enough case to push for justifiable homicide if someone physically breaks into your house and tries to rob you. How are you going to press the case that, "he spammed me, so I shot his ass"? Scams, fraud and general douche-hattery are not new. This is just a newer realm for them.

Shouldn't we instead be referring to "botnet operators" or some such? I'm not making the "hacker" versus "cracker" argument, since language and words are dynamic - but even if we just use hackers in the pejorative sense, we're talking about a much larger group than just the subset who run botnets.

The word "hacker" is now so permanently ruined, we ought to just stop using it altogether. These days, leaving your Facebook or Twitter account logged in on a shared machine, and then having someone else notice that fact and make a posting under your account, is what the general population considers "hacking" to be.

from getting IP space from a datacenter and using it until it gets a bad reputation.

And besides, if you have a block of IPs just to cycle it between botnets and spammers, just because it changes hands doesn't clean the block's reputation. So these blocks will also get blacklisted in short order.

Yup. This isn't really anything new to IT either - just an extension of the company-buys-Schwinn and churns out $80 Walmart bikes story. To an MBA a reputation that cost a century to build is just an asset whose NPV is less than the cash you can get for pimping it on anything with two wheels.

As the summary, these spammers (to use the appropriate term; botnets aren't much use for "hacking") are basically reverse Midas to IP blocks: Whatever they touch is blacklisted. All that this means is that non-blacklisted address space becomes scarcer to the point where either these assholes can't afford it, or ICANN introduces new rules to seize address space that is abused (which would be a worrying precedent on the censorship & net neutrality front), or everyone switches to IPv6.

Frankly, I wouldn't mind something that speeds that along. It will never reach wide adoption without pressure.

Wonder how fast will IPv6 non-blacklisted IPs run out with all the spammers out there.

Also, on an unrelated note — some day governments will realize, that "child pron" distraction no longer works and will switch to spammers and and botnet operators, that is sure to distract the public's attention while slowly imposing measures to control the internet.

If you never sent any large quantities of mail, you do not have a good reputation (just 'no reputation'). Trying to send large quantities of mail is impossible to large parties. If you let a warm IP 'cool', its reputation is gone. It takes many months, or longer, to heat it up. One bad mailing = blacklistings (which are 1 to 3 days) + a hit in reputation.